SlideShare a Scribd company logo

NQA Your Complete Guide to ISO 27001

NA Putra, profile picture
NA Putra

The document provides an overview of ISO 27001, an international information security standard. ISO 27001 aims to help organizations securely manage risks to their information systems by establishing an Information Security Management System (ISMS). It outlines a process for organizations to identify risks, establish controls and policies, implement measures to address risks, monitor effectiveness, and enact continuous improvement. The standard is flexible and can be applied across different industries and organization sizes. Obtaining ISO 27001 certification demonstrates to customers and partners that an organization has policies and security practices in place to protect information from cyber threats.

Internet
1 of 9
Downloaded 23 times
1
2
Most read
3
4
5
6
7
Most read
8
Most read
9
YOUR COMPLETE GUIDE TO ISO 27001 9043,000 TRANSPARENT *
The 27000 series of certifications cover a variety of information security. You can optimise your time and energy by focusing on just ISO 27001, arguably the best-known and top preparation standard designed to protect your network through an information security management system (ISMS). ISO 27001 is recognised internationally and is appropriate for any company. You’ll see ISO certifications for non-profits, major corporations, boutique security firms, small e-tailers and even state and federal organisations. The standard comes from the ISO and IEC, two organisations who have made a name in standardisation as well as information security. Conservatively estimated, cyber threats cost the global economy $375 billion in losses each year. Some put the cost as high as $575 billion. You take threats seriously and ISO 27001 is the smart way to let others know. Learn how to store data securely, examine new risks and create a culture that minimises risk by seeking ISO 27001 certification. Why Isn’t There a List to Follow? ISO standards work this way because no single list works for every company — or even every division. Your organisation likely has some departments that generate new customer information every day, while others add employee information only once a month. Extending protection to both of these on the same schedule would either leave customer information vulnerable for extended periods of time or cause your HR department to continuously perform work it didn’t need. You don’t get a list, but you do get a mindset. You’ll be taught how to approach risk management around the availability of data on your network and how to implement security for it. You’ll learn how to perceive threats, find out existing risks and systematically address them. You can follow the process for the rest of your career and you’ll learn how to expand it beyond departments. For example, a solid list would likely focus on your IT department and on protecting data as it enters your systems. A framework like ISO 27001 expands protection to new areas such as the legal risks of sharing information so you avoid improper sharing through policy instead of a firewall. So What Do You Do With ISO 27001? What you need to do with the security standard is become certified. Certification — and don’t worry, we’ll help you find the best place to get certified in a later chapter — simply means that an independent organisation will look over your processes to verify that you’ve properly implemented the ISO 27001 standard. Once you’re found to be compliant, you’ll get a certification that you can display on your website, marketing materials and elsewhere. To give you a thorough understanding of the ISO 27001 standard, let’s review some basics about its creation, special requirements for the standard and the fundamentals of the standard itself. To start, read the background that you can benefit from right away. ISO 27001 is an information security management standard that proves an organisation has structured its IT to effectively manage its risks. When your company displays the ISO 27001, your customers will know that you have policies in place to protect their information from today’s big threats. What is ISO 27001? The ISO 27001 standard has become the most popular information security standard in the world with hundreds of thousands of companies acquiring certification. The standard is routinely updated to ensure that it teaches companies how to protect themselves and mitigate risks against today’s current threats. These threats are among those the ISO 27001 helps you plan for: • Cybercrime • Data vandalism • Errors related to integration with unprotected partnerships or warehouses • Internal data theft • Loss of data due to misuse or malfeasance • Misuse of information • Network breaches through third-party connections • Personal data breaches • State-sanctioned cyber attacks • Terrorists attacks • Theft • Viral attacks Think of the security protocol as a mindset. ISO 27001 doesn’t give you a step-by-step guide to protecting assets. Instead, it provides you with a framework to apply to any threats or risks you face. This means it can be tough to implement at first, but proper training will keep your organisation safe for a long time.
About the ISO and IEC The ISO 27001 certification comes from the ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission). Both organisations came together to create a special system that builds worldwide standardisation. The ISO and IEC have members from all over the globe who participate in standards development. ISO/IEC standards have become the preferred credentials for manufacturers, IT companies and customers across the globe. Currently, ISO has published more than 19,500 standards covering technology and manufacturing. Understanding Information Security Management Systems (ISMS) Information security management systems (ISMS) are a fundamental part of the ISO 27001 because you’ll use the standard to establish and maintain this system. A good ISMS involves a systemic response to new risks, allowing it to grow and change alongside your business. Every information asset must be covered by your ISMS and you’ll need to run checks whenever a new device or data set is added. The ISO/IEC standards recommend you follow a Plan-Do-Check-Act methodology to maintain your ISMS. The ISO 27001 will give you the framework to follow the methodology: • Plan: Design an ISMS workflow to assess threats and determine controls. • Do: Implement the plan. • Check: Review the implementation and evaluate its effectiveness. • Act: Make any needed changes to improve the effectiveness of your program. One essential piece of the ISMS is that you’re only being taught a method. ISO 27001 certification will give you the starting point that can keep your company safe. However, you can add to that as you wish. Some practitioners will layer a Six Sigmas DMAIC approach as well, in order to meet other requirements they may have. Obtaining ISO 27001 empowers you to create and implement the best ISMS for your company. Adapt, adopt and grow at the scale that’s perfect for you. Why You Need ISO 27001 Certification Securing ISO 27001 certification will show your employees and your customers that you can be trusted with their information. In some industries, companies will not select IT partners who do not have ISO 27001 certifications and it is often a requirement of federal or governmental data-related contracts. The chief benefit of ISO 27001 is that it gives you a reputation for being a safe and secure partner. You won’t be seen as a potential threat to business from either internal or external problems. Many companies have found that ISO 27001 certification has led to an increase in profits and influx in new business. Some even report that ISO 27001 can reduce their operational expenses by introducing review processes into their business management. Some of the benefits your organisation can expect when you introduce cybersecurity protections visible to your team and your clients include: Ability to differentiate your service from competitors: • Recognised framework for addressing legal requirements to avoid penalties or fees • Established company culture that is threat-aware • Fewer intrusions, threats and employee intrusions • Optimised IT asset usage to protect against threats • Safety policies to ensure growth is sustainable and secure • Proactive approach to managing your IT assets and your reputation • Improved opportunities across multiple business sectors • Cyber threats are on the minds of everyone. By showing the world that you’re prepared for threats, you can boost your business and potentially send malicious attacks elsewhere.
Get Your Management’s Approval One of the key differences of the ISO 27001 standard compared to most other security standards is that you’ll struggle with and potentially fail certification if your management is not working with you. Adopting an ISMS isn’t an IT decision, it’s a business strategy decision. The process must cover every department and must work within all of your departments. An ISMS must be deployed across your entire organisation and that means you’ll have to address threats and risks that could start with any department. ISO 27001 Standard: 6 Stages for Planning ISO 27001 was created to provide you with a platform-neutral, technology-neutral approach to security risks. You’ll learn to address concerns individually as well as part of larger risk management policies and have a guide to creating your safety procedures. The simplest way to view the entire process is by looking at its core values: a six-part planning assessment and procedure. Approach it from a top-down perspective and you’ll find success when you: • Define a security policy for your technology/platform/device/ company. • Create a scope for your ISMS. • Perform risk assessments based on your results from 1 and 2. • Identify risks and create a management plan. • Determine appropriate metrics and controls used to track progress when the plan is implemented. • Craft a statement of applicability to guide policy changes. These six pillars are broad steps that you’ll see throughout each of the main elements of the standard. IS0 27001 will help you maintain this high-level approach throughout documentation and audits, determining responsibility for implementation and controls, ongoing maintenance and upgrades, and risk-based activities to prevent breaches or react when they occur. While you may be the individual seeking the certification, ISO 27001 guidelines perform best when your entire company is on board.
The sections of the new ISO 20071 standard are: Scope The standard lays out the requirements and provides a management context for you to create, implement, maintain and improve your ISMS. You’ll learn the requirements for making assessments of your security risks and how to manage them relative to your organisational structure. Normative References This section will discuss the other information and background you’ll need. While there is a family of standards in the 27000s, the only one specifically required is the ISO/IEC 27000. Other standards in this family are optional and may support your ISMS development. For certification purposes, you don’t need to study or read anything beyond the ISO 27000 and ISO 27001 standards. Terms and Definitions Here you’ll learn the terms in a brief glossary. This glossary has a planned obsolescence of sorts and will be replaced by information provided in the ISO 27000 standard. You don’t have to spend any additional funding: You can get a free online copy of the ISO 27000 overview and vocabulary from the ISO. Context of the Organisation This section teaches you how to take your organisational structure and needs into account when developing your ISMS. You’ll get help building the scope of the ISMS by looking at different departments’ interaction with your IT systems and defining all of the parties who use, provide, adjust or observe your data. The goal is to “establish, implement, maintain and continually improve” your company’s ISMS. Leadership The ISO 27001 standard specifically calls for top management to be involved. This section shows you how to properly involve leadership throughout your company and what approvals you’ll need for implementing the ISMS. Go over this carefully and work with management so that you can clearly demonstrate their commitment to the ISMS as well as responsibilities for each individual section and process. Involving management through a clearly stated plan is a big part of getting your ISO 27001 certification. Planning The planning stage will feel familiar to any developers, analysts, data specialists and business managers. You’ll get assistance with the creation of a workflow for identifying, reviewing and dealing with IT security risks. It will give you the structure to review threats in relationship to your company and the objectives you’ve provided for your ISMS. Support Because you’re dealing with a policy and not a prescribed plan, support will vary and requires a broad understanding of your assets and capabilities. The support section will help you define and secure adequate resources to manage an ISMS from implementation through reviews. Pay close attention to its discussion of how to promote awareness of ISMS policies within your organisation because ISO 27001 certification will require you to have a broad policy that can be applied across divisions. Operation Threat assessment is a continually evolving practice. The operational segment will help you review threat assessment and determine what types of information you should collect from your network. Get assistance noting and evaluating threats, manage your ISMS and allow for changes, and build a policy for documenting successes, failures and weaknesses. Audits are essential to any IT security paradigm, and the ISO 27001 certification prepares you for a variety of threat assessments. Performance Evaluation Put your new knowledge into action with guidance on how to monitor your network, measure and analyse your processes, audit changes and view every IT security control relative to your KPIs. Bring your ISMS through all departments to look for proper implementation and check for threats. You’ll also improve your capabilities to improve your system. Essentially, you’ll be putting the entire Operation segment into practice with the capability to properly review and address changes. Improvement The core of ISO 27001 certification is to get better at threat analysis and management. The improvement section will help you review your auditing process as well as the audits themselves. When you identify problems and concerns through auditing, you can then determine which are true threats and need a corrective action. Beyond known threats, the improvement process helps you create a maintenance scheduled for continual improvements to your platform. You will learn standard maintenance strategies as well as develop procedures to add audits or reviews when new data is added. These 10 sections form the backbone of the ISO 27001 standard and certification. Please note that the documentation you get when reviewing the specification will also include an introduction and a reference annex. The introduction and annex aren’t included in our list because ISO documentation notes that you can deviate from the annex, so you won’t necessarily need to review those steps during your ISMS’s further development and update planning. The annex itself is listed as “normative,” so you are expected to use it during the initial creating of your ISMS. 10 Sections for Success: ISO 27001 Control Checklist The latest standard update — ISO/IEC 27001:2013 — provides you with 10 sections that will walk you through the entire process of developing your ISMS. Each of these plays a role in the planning stages and facilitates implementation and revision. By continually walking through the control checklist, you’ll have a succinct ISMS that secures your network. With each new integration, data set, client portal and BYOD policy, run through the list again to stay safe and protected.
ISO 27001 Certification Process The certification process for the ISO 27001 standard can be over in as quick as a month and only has three main steps for you to follow: Application, Assessment and Certification. Application: Here you’ll simply work with a partner to register for the certification process. There’s a specific ISO 27001 Quote Request Form that gives your certification partner information about your organisation so that they can have an accurate estimate of your business and what to check for in their audit. Assessment: We’ll review your business, the processes and the implementations that are noted on the Initial Certification Audit form. Your company will need to demonstrate that your ISMS has been implemented and fully operations for at least three months. We’ll also need to see a full cycle of internal audits. The assessment has two stages that are important to you: Stage 1 — Verify that you’re ready for an audit and assessment. • We’ll confirm that your ISMS meets standards and best practices. • Determine ISMS implementation status. • Review scope of certification. • Check that you meet legal and legislative compliance for your area. • Develop a report that notes your non-compliance areas and areas for improvement. • Create a plan that covers any corrective action. • Produce an assessment used to begin stage two assessments and testing. Stage 2 — Execute an audit to review your ISMS and certify it is functioning properly. • Perform sample audits to review activities and elements needed for certification. • Document your ISMS’s capability to compile information and review threats. • Look for non-compliance and areas of improvement. • Create a new surveillance report that reviews your system and puts forth a date for your first annual surveillance visit. Certification: ISO 27001 documentation will be issued by your certification partner and you will set up a program of annual surveillance audits plus a three-year audit program in order to receive the certification. By working with a smart partner, you can also get pre- certification training and reviews to ensure that you’re ready when the certification process begins. Don’t be shy: Always ask about options to help you prepare for ISO 27001 certification and for help maintaining requirements after the initial certification is awarded. We also recommend a gap analysis before you start the certification process. This analysis allows you to determine any likely workload and timing for implementing an ISMS (or improving your existing ISMS) that will allow you to achieve ISO 27001 certification. Gap analysis is a very good value if you plan on bringing in outside professionals for ISMS development because you’ll be able to provide them with an understanding of the scope you need. Part of the whole certification process is producing reports and policies that should guide your ISMS development and your internal audits. These can be a great place to begin because you’ll need to perform initial audits to generate some of these reports. The ISO 27001 standard itself will provide you with information you need to understand and develop required documents. Mandatory Certification Requirements: Document List To get started with your journey to the ISO 27001 certification, you should pick up a copy of the ISO documentation from the standards body. Don’t trust documents you find from an outside source unless they’re also an officially licensed provider of certifications. The latest version of the ISO 27001 standard provides a list of required documents to ensure you adhere to the standard and can meet your certification. Some of the documents are also listed as optional, but we recommend that you create these optional documents because they directly target new trends in the workforce, new technologies and important business analysis. Numbers provided near the document are a reference for explanations, requirements and more in the ISO standards documentation. For any document listed with an Annex location, you’ll need to review your processes closely. These documents are required if they’re applicable to your business. When getting certified, the third-party will determine if you need any of those documents, so review these closely and consider developing these documents just in case.
Documentation For ISO 27001 Adherence and Certification Document Name Clauses Annex Clauses Documents that you must generate Scope of the ISMS 4.3 Information security policy and objectives (may be split into two documents 5.2, 6.2 Risk assessment and risk treatment methodology 6.1.2 Statement of Applicability 6.1.3 d Risk treatment plan 6.1e, 6.2 Risk assessment report 8.2 Definition of security roles and responsibilities 7.1; 13.2.4 Inventory of assets 8.1.1 Acceptable use of assets 8.1.3 Access control policy 9.1.1 Operating procedures for IT management 12.1.1 Secure system engineering principles 14.2.5 Supplier security policy 15.1.1 Incident management procedure 16.1.5 Business continuity procedures 17.1.2 Company requirements: statutory, regulatory, and contractual 18.1.1 Records you must keep and maintain Employee experience, qualifications, skills and certifications 7.2, 7.2 Monitoring and measurement results (baselines and new) 9.1 Internal audit procedures 9.2 Internal audit results and recommendations 9.2 Management review results and recommendations 9.3 Corrective action results and recommendations 10.1 Logs by user: activities, exceptions, security events and flags 12.4, 12.4.3 Optional but recommended documents Document control procedures 7.5 Record management procedures 7.5 Internal audit guidance and review procedures 9.2 Corrective actions guidance 10.1 Bring your own device (BYOD) policy 6.2.1 Mobile and teleworking policy 6.2.1. Information classification directive 8.2.1, 8.2.2, 8.2.3 Password policies for ISMS and users 9.2.1, 9.2.2, 9.2.4, 9.3.1, 9.4.3 Data and e-waste disposal and destruction policy 8.3.2, 11.2.7 Secure area processing and access requirements 11.1.5 Clear desk and clear screen policy 11.2.9 Change management policy 12.1.2, 14.2.4 Data storage and backup policy 12.3.1 Digital data transfer policies 13.2.1, 13.2.2, 13.2.3 Business impact and development analysis procedures 17.1.1 Maintenance and review plan 17.1.3 Business continuity strategy 17.2.1
Appendix 1: Meeting Threats Through ISO 27001 NQA recommends that you undertake ISO 27001 training and certification because it can help you make the case to your business partners that you’re ready for the modern digital world. To help you make that case to your management — or to vendors you like and wish would adopt the ISO 27001 standard — we’ve prepared a brief explanation of how ISO 27001 can help you address some of the top problems digital industries face. • Risk Management Assurance. Customers demand strong risk management. The only way to prove that you have correct policies in place is to show certification and outside verification. ISO 27001 proves that you take cyber threats seriously and have prepared to address them. Certification is a clear sign that you not only have the policies in place but that you continually update and improve in order to keep your data safe. • Data Breaches. A single breach can bring down a small or mid-sized vendor. Large companies can only survive a handful, if they’re lucky. ISO 27001 audits offer great protection because they limit your vulnerability. Audits highlight potential breaches and can put other risks into focus by using the security risk framework you learn. ISO 27001 will help you prevent breaches, guarding you against customer litigation and even potential regulatory action. • Legal Compliance. We’ve focused our work on data security all around the world. There are many different laws that can be satisfied by ISO 27001 certification, and some like the UK Data Protection Act have proven track records of ISO 27001 acceptance. Implementing the standard will help you stay compliant and using NQA as your partner will ensure that you have the most relevant legal checks when you undergo any audit or review. • Lapses in Attention. At the core of the ISO 27001 standard is a security mindset. The audit process and ISMS development provide a company-wide focus on security and can make every department accountable. By spelling out who is in charge of which function and who must ensure each team member adheres to policies, you have begun to implement a strong cybersecurity protection plan. • Information Management and Access. Control over your data is vital for your business, not just for the ISO 27001 certification process. By implementing a new focus through these audits and reviews, you can determine areas that may create bottlenecks and gaps in the access, management and protection of your data. Strong audits from partners such as NQA also help you determine gaps and issues in areas where your customers access your data. That can improve customer relationships and protect you against excess liability. These are just some of the top conversations you can have with your customers and your management to show how beneficial ISO 27001 certification is. Contact NQA today for help making the case and answers to how this certification can apply specifically to your business. Appendix 2: Glossary • ISO: International Organisation for Standards — one of the two bodies responsible for creating the certification and managing its credential authentication. • ISMS: Information Security Management System — set of company policies that create a process for addressing information security, data protection and more to prevent data loss, harm, theft and errors within a company and its culture, not just its IT systems. • IEC: International Electrotechnical Commission — one of the two bodies responsible for creating the certification and managing its credential authentication. • KPI: Key Performance Indicator — a business metric used to evaluate elements that are key to the success of a program or an organisation as a whole. • Audit: Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. • Availability: Property of being accessible and usable upon demand by an authorised entity. • Competence: Ability to apply knowledge and skills to achieve intended results. • Confidentiality: Property that information is not made available or disclosed to unauthorised individuals, entities, or processes. See 27000 2.61 for help applying this to certifications. • Continual Improvement: Recurring activity to enhance performance. Will require a specific definition in relationship to your individual requirements and processes when asked for in audit documentation. • Control: Measure that is modifying risk. See 27001 2.68 for application assistance. • Correction: Action to eliminate a detected nonconformity during your audit and review processes. When compared to “Corrective Action” view this as treating a symptom and the “Action” as curing a disease. • Corrective Action: Action to eliminate the cause of a nonconformity and to prevent recurrence. This usage specifically notes action you’ll take to remove root causes. • Documented Information: Information that must be controlled and maintained by you and secured by the medium you use to collect it. This can be information in any format, from any source, and will require an audit history when documents request it. • Effectiveness: An estimated and then proven measure of the extent to which planned activities are realised and planned results achieved. • Executive Management: Person or group of people who have delegated responsibility from the governing body for implementation of strategies and policies to accomplish the purpose of the organisation. See 2.29 and 2.57 for help determining your governing body and the scope of this management. Where Should You Get Certified? You need to turn to a trusted partner when it comes to your ISO 27001 certification. Don’t put your company’s future in the hands of someone who doesn’t have a strong reputation for proper audits, valid certifications and the ability to help companies meet their goals. We work with all of our customers to ensure that they have the right processes in place to achieve certification. When any ISMS is found lacking, we’re here to work with you to create and implement strategies to address gaps we detect. You can have experts review your process and proper implementation so you don’t have to worry about creating the right platform and company mindset to achieve your goals. Reduce the risk your company faces and improve your company’s reputation by working with NQA for all of your ISO 27001 preparations and certifications. Contact us today for a free quote using our Quick Quote form.
• Information Security: Preservation of confidentiality, integrity and availability of information. Secondary properties may include authenticity verification, accountability, reliability and other elements based on your ISMS. • Indicator: A measure that provides an estimate or evaluation of specified attributes derived from an analytical model (with respect to defined information needs). • Integrity: Property of accuracy and completeness in reviews, audits and more. • Interested Party: Person or organisation that can affect, be affected, or perceive themselves to be affected by a decision or activity undertaken by an ISMS, agent, employee or other party you authorise. • Level of Risk: Magnitude of a risk expressed in terms of the combination of consequences and their likelihood. Further explanation available in 2.14 (consequences), 2.45 (likelihood of risk) and 2.68 (risk magnitude) • Management System: Set of interrelated or interacting elements of an organisation to establish policies, objectives and processes to achieve those objectives. Management systems can address single or multiple disciplines and must include a variety of elements such as roles, responsibilities, planning, operations, organisational structure, and more. • Measurement: Process to determine a value. This may seem vague to some but it is important because it notes that you’re required to determine proper measurements for your ISMS implementation. • Metrics: Elements of your business used to evaluate performance and effectiveness of your ISMS and information security controls. You’ll see this in documentation from auditors, but not in the specifications themselves. • Monitoring: Determining the status of a system, process or activity. Monitoring is about status and then shifts focus when events occur. • Non-conformity: Non-fulfilment of a requirement as defined by the ISMS. • Objective: Strategic, tactical or operational result to be achieved. Objectives can differ greatly and audits will need a strong structure to properly express objectives in order to evaluate them. • Outsource (verb): Make an arrangement where an external organisation performs part of an organisation’s function or process. ISMS must review and specify all outsourcing options. Controls and responsibilities must be extremely clear when outsourcing any element. • Performance: Measureable result that can relate either to quantitative or qualitative findings. • Policy: Intentions and direction of an organisation as formally expressed by its top management. • Process: Set of interrelated or interacting activities which transforms inputs into outputs. • Reliability: Property of consistent intended behaviour and results across audits, methodology and reviews. • Requirement: Need or expectation that is stated, generally implied or obligatory. “Generally implied” is listed when the necessity of custom or practice is implied. • Residual Risk: Risk that remains after a risk treatment. These can contain unidentified risks and may also be listed as “retained risks” in auditor information. • Review: Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. • Risk: The effect of uncertainty on objectives, including real and potential events. See 2.14 through 2.89 for a better understanding of risk, its positive and negative elements, and how it can relate to a variety of situations. • Risk Owner: Person or entity with the accountability and authority to manage a risk and related responses. • Risk Treatment: Process used to modify risk. Methods can include removing sources, changing likelihoods, adjusting consequences, retaining risks by choice, adding new actions and avoiding risks. • Top Management: Person or group of people who directs and controls an organisation at the highest level. www.nqa.com

More Related Content

PDF
NQA ISO 27001 A Guide to Annex A
NA Putra
 
PDF
NQA ISO 27701 Implementation Guide
NQA
 
PDF
NQA ISO 27701:2019 - PIM
NA Putra
 
PDF
NQA - ISO 27001 Implementation Guide
NA Putra
 
PDF
NQA ISO 22000 Food Safety Transition Gap Guide
NQA
 
PDF
NQA Your Complete Guide to ISO 27001
NQA
 
PDF
ISO 27001:2013 - A transition guide
Verde Ventures Pvt. Ltd.
 
PDF
Guide on ISO 27001 Controls
VISTA InfoSec
 
NQA ISO 27001 A Guide to Annex A
NA Putra
 
NQA ISO 27701 Implementation Guide
NQA
 
NQA ISO 27701:2019 - PIM
NA Putra
 
NQA - ISO 27001 Implementation Guide
NA Putra
 
NQA ISO 22000 Food Safety Transition Gap Guide
NQA
 
NQA Your Complete Guide to ISO 27001
NQA
 
ISO 27001:2013 - A transition guide
Verde Ventures Pvt. Ltd.
 
Guide on ISO 27001 Controls
VISTA InfoSec
 

What's hot (19)

PDF
ISO 27001:2013 - Changes
n|u - The Open Security Community
 
PDF
NQA Your Risk Assurance Partner
NQA
 
PDF
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
himalya sharma
 
PDF
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
himalya sharma
 
PDF
Transitioning to iso 27001 2013
SAIGlobalAssurance
 
PDF
NQA ISO 27001 Implementation Guide
NQA
 
PDF
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
ODP
Iso 27001 10_apr_2006
Khawar Nehal khawar.nehal@atrc.net.pk
 
PDF
ISO 27001 Checklist - Documented Information - Clause 7.5 - 45 checklist Ques...
himalya sharma
 
PPTX
ISO 27001 Certification: An All-Access Pass
A-lign
 
PDF
Iso 27001 certification body in singapore
iassingapore
 
PDF
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
PDF
27001 2015(+a1)
Carlos Ayil
 
PPTX
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
IndependentCertificationServices
 
PDF
Why ISO27001 For My Organisation
Vigilant Software
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PDF
ISO 27001 Checklist - Management Review - Clause 9.3 - 59 checklist Questions
himalya sharma
 
PPT
ISMS implementation challenges-KASYS
Reza Teynia ISMS, ITSM, MSc
 
PDF
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
myTectra Learning Solutions Private Ltd
 
ISO 27001:2013 - Changes
n|u - The Open Security Community
 
NQA Your Risk Assurance Partner
NQA
 
ISO 27001 Checklist - ISMS Scope - Clause 4.3 - 38 checklist Questions
himalya sharma
 
Cloud Computing | Cloud Security | Cloud Computing Audit Checklist | 499 Chec...
himalya sharma
 
Transitioning to iso 27001 2013
SAIGlobalAssurance
 
NQA ISO 27001 Implementation Guide
NQA
 
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
Iso 27001 10_apr_2006
Khawar Nehal khawar.nehal@atrc.net.pk
 
ISO 27001 Checklist - Documented Information - Clause 7.5 - 45 checklist Ques...
himalya sharma
 
ISO 27001 Certification: An All-Access Pass
A-lign
 
Iso 27001 certification body in singapore
iassingapore
 
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
27001 2015(+a1)
Carlos Ayil
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
IndependentCertificationServices
 
Why ISO27001 For My Organisation
Vigilant Software
 
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO 27001 Checklist - Management Review - Clause 9.3 - 59 checklist Questions
himalya sharma
 
ISMS implementation challenges-KASYS
Reza Teynia ISMS, ITSM, MSc
 
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
myTectra Learning Solutions Private Ltd
 
Ad

Similar to NQA Your Complete Guide to ISO 27001 (20)

PPTX
Information Security Management-Planning 1.pptx
FrancisFayiah
 
PDF
Unlocking the Benefits of ISO 27001 Certification for Information Security.pdf
udyam registration
 
PDF
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
Tromenz Learning
 
PDF
ISO 27001 Information Security Management.pdf
Nepal Realistic Solution Pvt. Ltd.
 
DOCX
A Comprehensive Guide to ISO 27001 Standard for Information Security
4C Consulting Private Limited
 
PDF
Whitepaper iso 27001_isms | All about ISO 27001
Chandan Singh Ghodela
 
PPT
Prerequisites to ISO 27001 Certification
shanaadams190
 
PDF
ISO 27001 Certification-Your Pathway to Unbeatable Data Protection-IAS-GULF-O...
sm0096157
 
DOCX
Understanding ISO 27001: A Key Standard for Information Security Management
4C Consulting Private Limited
 
PDF
Achieving ISO 27001 Certification.pdf
microteklearning21
 
PPTX
Unlocking the Benefits of ISO 27001 Certification for Information Security.pptx
udyam registration
 
PDF
NQA-ISO-27001-Implementation-Guide and implementation procedure book
Krushna Mahapatra
 
PDF
NQA-ISO-27001-Implementation-Guide.pdf..
ssuserc911b3
 
PDF
Why ISO 27001 Certification Matters for Your Business.pdf
BORNSEC CONSULTING
 
PPT
27001 certification.ppt
Fayemunoz
 
PPT
ISO 27001 Certification ISO 27001 Certification
joerobbins13
 
PPT
certificacion ISO 27001 bogota (Spain).ppt
keithhansen21
 
PPTX
What Is the Scope of ISO 27001 Certification in the Netherlands.pptx
Anoosha Factocert
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Information Security Management-Planning 1.pptx
FrancisFayiah
 
Unlocking the Benefits of ISO 27001 Certification for Information Security.pdf
udyam registration
 
A Comprehensive Guide To Information Security Excellence ISO 27001 Certificat...
Tromenz Learning
 
ISO 27001 Information Security Management.pdf
Nepal Realistic Solution Pvt. Ltd.
 
A Comprehensive Guide to ISO 27001 Standard for Information Security
4C Consulting Private Limited
 
Whitepaper iso 27001_isms | All about ISO 27001
Chandan Singh Ghodela
 
Prerequisites to ISO 27001 Certification
shanaadams190
 
ISO 27001 Certification-Your Pathway to Unbeatable Data Protection-IAS-GULF-O...
sm0096157
 
Understanding ISO 27001: A Key Standard for Information Security Management
4C Consulting Private Limited
 
Achieving ISO 27001 Certification.pdf
microteklearning21
 
Unlocking the Benefits of ISO 27001 Certification for Information Security.pptx
udyam registration
 
NQA-ISO-27001-Implementation-Guide and implementation procedure book
Krushna Mahapatra
 
NQA-ISO-27001-Implementation-Guide.pdf..
ssuserc911b3
 
Why ISO 27001 Certification Matters for Your Business.pdf
BORNSEC CONSULTING
 
27001 certification.ppt
Fayemunoz
 
ISO 27001 Certification ISO 27001 Certification
joerobbins13
 
certificacion ISO 27001 bogota (Spain).ppt
keithhansen21
 
What Is the Scope of ISO 27001 Certification in the Netherlands.pptx
Anoosha Factocert
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Ad

More from NA Putra (18)

PDF
NQA ISO 50001:2018 Implementation Guide
NA Putra
 
PDF
NQA Migration OHSAS to ISO 45001
NA Putra
 
PDF
NQA ISO 27701 Implementation Guide
NA Putra
 
PDF
NQA ISO 22000:2018 Implementation Guide
NA Putra
 
PDF
NQA ISO 22000:2018 Transition Gap Guide
NA Putra
 
PDF
NQA ISO 50001:2018 energy management gap guide
NA Putra
 
PDF
NQA - ISO 13485 Transition Checklist
NA Putra
 
PDF
NQA - Aerospace transition strategy key changes final
NA Putra
 
PDF
NQA - 10 Steps to IMS Guide
NA Putra
 
PDF
6 Tips for ISO
NA Putra
 
PDF
NQA Brochure 2018
NA Putra
 
PDF
NQA - Guide to transferring certification
NA Putra
 
PDF
NQA - Information security best practice guide
NA Putra
 
PDF
NQA - ISO 13485 Gap Guide
NA Putra
 
PDF
NQA - ISO 45001 Implementation Guide
NA Putra
 
PDF
NQA - ISO 14001 Implementation Guide
NA Putra
 
PDF
NQA - ISO 9001 Implementation Guide
NA Putra
 
PDF
NQA - Start Your Journey with NQA
NA Putra
 
NQA ISO 50001:2018 Implementation Guide
NA Putra
 
NQA Migration OHSAS to ISO 45001
NA Putra
 
NQA ISO 27701 Implementation Guide
NA Putra
 
NQA ISO 22000:2018 Implementation Guide
NA Putra
 
NQA ISO 22000:2018 Transition Gap Guide
NA Putra
 
NQA ISO 50001:2018 energy management gap guide
NA Putra
 
NQA - ISO 13485 Transition Checklist
NA Putra
 
NQA - Aerospace transition strategy key changes final
NA Putra
 
NQA - 10 Steps to IMS Guide
NA Putra
 
6 Tips for ISO
NA Putra
 
NQA Brochure 2018
NA Putra
 
NQA - Guide to transferring certification
NA Putra
 
NQA - Information security best practice guide
NA Putra
 
NQA - ISO 13485 Gap Guide
NA Putra
 
NQA - ISO 45001 Implementation Guide
NA Putra
 
NQA - ISO 14001 Implementation Guide
NA Putra
 
NQA - ISO 9001 Implementation Guide
NA Putra
 
NQA - Start Your Journey with NQA
NA Putra
 

Recently uploaded (20)

PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Funds Management Learning Material for Beg
NKKumar16
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
artificial intelligence overview of it and more
yafotin445
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 

NQA Your Complete Guide to ISO 27001

  • 1. YOUR COMPLETE GUIDE TO ISO 27001 9043,000 TRANSPARENT *
  • 2. The 27000 series of certifications cover a variety of information security. You can optimise your time and energy by focusing on just ISO 27001, arguably the best-known and top preparation standard designed to protect your network through an information security management system (ISMS). ISO 27001 is recognised internationally and is appropriate for any company. You’ll see ISO certifications for non-profits, major corporations, boutique security firms, small e-tailers and even state and federal organisations. The standard comes from the ISO and IEC, two organisations who have made a name in standardisation as well as information security. Conservatively estimated, cyber threats cost the global economy $375 billion in losses each year. Some put the cost as high as $575 billion. You take threats seriously and ISO 27001 is the smart way to let others know. Learn how to store data securely, examine new risks and create a culture that minimises risk by seeking ISO 27001 certification. Why Isn’t There a List to Follow? ISO standards work this way because no single list works for every company — or even every division. Your organisation likely has some departments that generate new customer information every day, while others add employee information only once a month. Extending protection to both of these on the same schedule would either leave customer information vulnerable for extended periods of time or cause your HR department to continuously perform work it didn’t need. You don’t get a list, but you do get a mindset. You’ll be taught how to approach risk management around the availability of data on your network and how to implement security for it. You’ll learn how to perceive threats, find out existing risks and systematically address them. You can follow the process for the rest of your career and you’ll learn how to expand it beyond departments. For example, a solid list would likely focus on your IT department and on protecting data as it enters your systems. A framework like ISO 27001 expands protection to new areas such as the legal risks of sharing information so you avoid improper sharing through policy instead of a firewall. So What Do You Do With ISO 27001? What you need to do with the security standard is become certified. Certification — and don’t worry, we’ll help you find the best place to get certified in a later chapter — simply means that an independent organisation will look over your processes to verify that you’ve properly implemented the ISO 27001 standard. Once you’re found to be compliant, you’ll get a certification that you can display on your website, marketing materials and elsewhere. To give you a thorough understanding of the ISO 27001 standard, let’s review some basics about its creation, special requirements for the standard and the fundamentals of the standard itself. To start, read the background that you can benefit from right away. ISO 27001 is an information security management standard that proves an organisation has structured its IT to effectively manage its risks. When your company displays the ISO 27001, your customers will know that you have policies in place to protect their information from today’s big threats. What is ISO 27001? The ISO 27001 standard has become the most popular information security standard in the world with hundreds of thousands of companies acquiring certification. The standard is routinely updated to ensure that it teaches companies how to protect themselves and mitigate risks against today’s current threats. These threats are among those the ISO 27001 helps you plan for: • Cybercrime • Data vandalism • Errors related to integration with unprotected partnerships or warehouses • Internal data theft • Loss of data due to misuse or malfeasance • Misuse of information • Network breaches through third-party connections • Personal data breaches • State-sanctioned cyber attacks • Terrorists attacks • Theft • Viral attacks Think of the security protocol as a mindset. ISO 27001 doesn’t give you a step-by-step guide to protecting assets. Instead, it provides you with a framework to apply to any threats or risks you face. This means it can be tough to implement at first, but proper training will keep your organisation safe for a long time.
  • 3. About the ISO and IEC The ISO 27001 certification comes from the ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission). Both organisations came together to create a special system that builds worldwide standardisation. The ISO and IEC have members from all over the globe who participate in standards development. ISO/IEC standards have become the preferred credentials for manufacturers, IT companies and customers across the globe. Currently, ISO has published more than 19,500 standards covering technology and manufacturing. Understanding Information Security Management Systems (ISMS) Information security management systems (ISMS) are a fundamental part of the ISO 27001 because you’ll use the standard to establish and maintain this system. A good ISMS involves a systemic response to new risks, allowing it to grow and change alongside your business. Every information asset must be covered by your ISMS and you’ll need to run checks whenever a new device or data set is added. The ISO/IEC standards recommend you follow a Plan-Do-Check-Act methodology to maintain your ISMS. The ISO 27001 will give you the framework to follow the methodology: • Plan: Design an ISMS workflow to assess threats and determine controls. • Do: Implement the plan. • Check: Review the implementation and evaluate its effectiveness. • Act: Make any needed changes to improve the effectiveness of your program. One essential piece of the ISMS is that you’re only being taught a method. ISO 27001 certification will give you the starting point that can keep your company safe. However, you can add to that as you wish. Some practitioners will layer a Six Sigmas DMAIC approach as well, in order to meet other requirements they may have. Obtaining ISO 27001 empowers you to create and implement the best ISMS for your company. Adapt, adopt and grow at the scale that’s perfect for you. Why You Need ISO 27001 Certification Securing ISO 27001 certification will show your employees and your customers that you can be trusted with their information. In some industries, companies will not select IT partners who do not have ISO 27001 certifications and it is often a requirement of federal or governmental data-related contracts. The chief benefit of ISO 27001 is that it gives you a reputation for being a safe and secure partner. You won’t be seen as a potential threat to business from either internal or external problems. Many companies have found that ISO 27001 certification has led to an increase in profits and influx in new business. Some even report that ISO 27001 can reduce their operational expenses by introducing review processes into their business management. Some of the benefits your organisation can expect when you introduce cybersecurity protections visible to your team and your clients include: Ability to differentiate your service from competitors: • Recognised framework for addressing legal requirements to avoid penalties or fees • Established company culture that is threat-aware • Fewer intrusions, threats and employee intrusions • Optimised IT asset usage to protect against threats • Safety policies to ensure growth is sustainable and secure • Proactive approach to managing your IT assets and your reputation • Improved opportunities across multiple business sectors • Cyber threats are on the minds of everyone. By showing the world that you’re prepared for threats, you can boost your business and potentially send malicious attacks elsewhere.
  • 4. Get Your Management’s Approval One of the key differences of the ISO 27001 standard compared to most other security standards is that you’ll struggle with and potentially fail certification if your management is not working with you. Adopting an ISMS isn’t an IT decision, it’s a business strategy decision. The process must cover every department and must work within all of your departments. An ISMS must be deployed across your entire organisation and that means you’ll have to address threats and risks that could start with any department. ISO 27001 Standard: 6 Stages for Planning ISO 27001 was created to provide you with a platform-neutral, technology-neutral approach to security risks. You’ll learn to address concerns individually as well as part of larger risk management policies and have a guide to creating your safety procedures. The simplest way to view the entire process is by looking at its core values: a six-part planning assessment and procedure. Approach it from a top-down perspective and you’ll find success when you: • Define a security policy for your technology/platform/device/ company. • Create a scope for your ISMS. • Perform risk assessments based on your results from 1 and 2. • Identify risks and create a management plan. • Determine appropriate metrics and controls used to track progress when the plan is implemented. • Craft a statement of applicability to guide policy changes. These six pillars are broad steps that you’ll see throughout each of the main elements of the standard. IS0 27001 will help you maintain this high-level approach throughout documentation and audits, determining responsibility for implementation and controls, ongoing maintenance and upgrades, and risk-based activities to prevent breaches or react when they occur. While you may be the individual seeking the certification, ISO 27001 guidelines perform best when your entire company is on board.
  • 5. The sections of the new ISO 20071 standard are: Scope The standard lays out the requirements and provides a management context for you to create, implement, maintain and improve your ISMS. You’ll learn the requirements for making assessments of your security risks and how to manage them relative to your organisational structure. Normative References This section will discuss the other information and background you’ll need. While there is a family of standards in the 27000s, the only one specifically required is the ISO/IEC 27000. Other standards in this family are optional and may support your ISMS development. For certification purposes, you don’t need to study or read anything beyond the ISO 27000 and ISO 27001 standards. Terms and Definitions Here you’ll learn the terms in a brief glossary. This glossary has a planned obsolescence of sorts and will be replaced by information provided in the ISO 27000 standard. You don’t have to spend any additional funding: You can get a free online copy of the ISO 27000 overview and vocabulary from the ISO. Context of the Organisation This section teaches you how to take your organisational structure and needs into account when developing your ISMS. You’ll get help building the scope of the ISMS by looking at different departments’ interaction with your IT systems and defining all of the parties who use, provide, adjust or observe your data. The goal is to “establish, implement, maintain and continually improve” your company’s ISMS. Leadership The ISO 27001 standard specifically calls for top management to be involved. This section shows you how to properly involve leadership throughout your company and what approvals you’ll need for implementing the ISMS. Go over this carefully and work with management so that you can clearly demonstrate their commitment to the ISMS as well as responsibilities for each individual section and process. Involving management through a clearly stated plan is a big part of getting your ISO 27001 certification. Planning The planning stage will feel familiar to any developers, analysts, data specialists and business managers. You’ll get assistance with the creation of a workflow for identifying, reviewing and dealing with IT security risks. It will give you the structure to review threats in relationship to your company and the objectives you’ve provided for your ISMS. Support Because you’re dealing with a policy and not a prescribed plan, support will vary and requires a broad understanding of your assets and capabilities. The support section will help you define and secure adequate resources to manage an ISMS from implementation through reviews. Pay close attention to its discussion of how to promote awareness of ISMS policies within your organisation because ISO 27001 certification will require you to have a broad policy that can be applied across divisions. Operation Threat assessment is a continually evolving practice. The operational segment will help you review threat assessment and determine what types of information you should collect from your network. Get assistance noting and evaluating threats, manage your ISMS and allow for changes, and build a policy for documenting successes, failures and weaknesses. Audits are essential to any IT security paradigm, and the ISO 27001 certification prepares you for a variety of threat assessments. Performance Evaluation Put your new knowledge into action with guidance on how to monitor your network, measure and analyse your processes, audit changes and view every IT security control relative to your KPIs. Bring your ISMS through all departments to look for proper implementation and check for threats. You’ll also improve your capabilities to improve your system. Essentially, you’ll be putting the entire Operation segment into practice with the capability to properly review and address changes. Improvement The core of ISO 27001 certification is to get better at threat analysis and management. The improvement section will help you review your auditing process as well as the audits themselves. When you identify problems and concerns through auditing, you can then determine which are true threats and need a corrective action. Beyond known threats, the improvement process helps you create a maintenance scheduled for continual improvements to your platform. You will learn standard maintenance strategies as well as develop procedures to add audits or reviews when new data is added. These 10 sections form the backbone of the ISO 27001 standard and certification. Please note that the documentation you get when reviewing the specification will also include an introduction and a reference annex. The introduction and annex aren’t included in our list because ISO documentation notes that you can deviate from the annex, so you won’t necessarily need to review those steps during your ISMS’s further development and update planning. The annex itself is listed as “normative,” so you are expected to use it during the initial creating of your ISMS. 10 Sections for Success: ISO 27001 Control Checklist The latest standard update — ISO/IEC 27001:2013 — provides you with 10 sections that will walk you through the entire process of developing your ISMS. Each of these plays a role in the planning stages and facilitates implementation and revision. By continually walking through the control checklist, you’ll have a succinct ISMS that secures your network. With each new integration, data set, client portal and BYOD policy, run through the list again to stay safe and protected.
  • 6. ISO 27001 Certification Process The certification process for the ISO 27001 standard can be over in as quick as a month and only has three main steps for you to follow: Application, Assessment and Certification. Application: Here you’ll simply work with a partner to register for the certification process. There’s a specific ISO 27001 Quote Request Form that gives your certification partner information about your organisation so that they can have an accurate estimate of your business and what to check for in their audit. Assessment: We’ll review your business, the processes and the implementations that are noted on the Initial Certification Audit form. Your company will need to demonstrate that your ISMS has been implemented and fully operations for at least three months. We’ll also need to see a full cycle of internal audits. The assessment has two stages that are important to you: Stage 1 — Verify that you’re ready for an audit and assessment. • We’ll confirm that your ISMS meets standards and best practices. • Determine ISMS implementation status. • Review scope of certification. • Check that you meet legal and legislative compliance for your area. • Develop a report that notes your non-compliance areas and areas for improvement. • Create a plan that covers any corrective action. • Produce an assessment used to begin stage two assessments and testing. Stage 2 — Execute an audit to review your ISMS and certify it is functioning properly. • Perform sample audits to review activities and elements needed for certification. • Document your ISMS’s capability to compile information and review threats. • Look for non-compliance and areas of improvement. • Create a new surveillance report that reviews your system and puts forth a date for your first annual surveillance visit. Certification: ISO 27001 documentation will be issued by your certification partner and you will set up a program of annual surveillance audits plus a three-year audit program in order to receive the certification. By working with a smart partner, you can also get pre- certification training and reviews to ensure that you’re ready when the certification process begins. Don’t be shy: Always ask about options to help you prepare for ISO 27001 certification and for help maintaining requirements after the initial certification is awarded. We also recommend a gap analysis before you start the certification process. This analysis allows you to determine any likely workload and timing for implementing an ISMS (or improving your existing ISMS) that will allow you to achieve ISO 27001 certification. Gap analysis is a very good value if you plan on bringing in outside professionals for ISMS development because you’ll be able to provide them with an understanding of the scope you need. Part of the whole certification process is producing reports and policies that should guide your ISMS development and your internal audits. These can be a great place to begin because you’ll need to perform initial audits to generate some of these reports. The ISO 27001 standard itself will provide you with information you need to understand and develop required documents. Mandatory Certification Requirements: Document List To get started with your journey to the ISO 27001 certification, you should pick up a copy of the ISO documentation from the standards body. Don’t trust documents you find from an outside source unless they’re also an officially licensed provider of certifications. The latest version of the ISO 27001 standard provides a list of required documents to ensure you adhere to the standard and can meet your certification. Some of the documents are also listed as optional, but we recommend that you create these optional documents because they directly target new trends in the workforce, new technologies and important business analysis. Numbers provided near the document are a reference for explanations, requirements and more in the ISO standards documentation. For any document listed with an Annex location, you’ll need to review your processes closely. These documents are required if they’re applicable to your business. When getting certified, the third-party will determine if you need any of those documents, so review these closely and consider developing these documents just in case.
  • 7. Documentation For ISO 27001 Adherence and Certification Document Name Clauses Annex Clauses Documents that you must generate Scope of the ISMS 4.3 Information security policy and objectives (may be split into two documents 5.2, 6.2 Risk assessment and risk treatment methodology 6.1.2 Statement of Applicability 6.1.3 d Risk treatment plan 6.1e, 6.2 Risk assessment report 8.2 Definition of security roles and responsibilities 7.1; 13.2.4 Inventory of assets 8.1.1 Acceptable use of assets 8.1.3 Access control policy 9.1.1 Operating procedures for IT management 12.1.1 Secure system engineering principles 14.2.5 Supplier security policy 15.1.1 Incident management procedure 16.1.5 Business continuity procedures 17.1.2 Company requirements: statutory, regulatory, and contractual 18.1.1 Records you must keep and maintain Employee experience, qualifications, skills and certifications 7.2, 7.2 Monitoring and measurement results (baselines and new) 9.1 Internal audit procedures 9.2 Internal audit results and recommendations 9.2 Management review results and recommendations 9.3 Corrective action results and recommendations 10.1 Logs by user: activities, exceptions, security events and flags 12.4, 12.4.3 Optional but recommended documents Document control procedures 7.5 Record management procedures 7.5 Internal audit guidance and review procedures 9.2 Corrective actions guidance 10.1 Bring your own device (BYOD) policy 6.2.1 Mobile and teleworking policy 6.2.1. Information classification directive 8.2.1, 8.2.2, 8.2.3 Password policies for ISMS and users 9.2.1, 9.2.2, 9.2.4, 9.3.1, 9.4.3 Data and e-waste disposal and destruction policy 8.3.2, 11.2.7 Secure area processing and access requirements 11.1.5 Clear desk and clear screen policy 11.2.9 Change management policy 12.1.2, 14.2.4 Data storage and backup policy 12.3.1 Digital data transfer policies 13.2.1, 13.2.2, 13.2.3 Business impact and development analysis procedures 17.1.1 Maintenance and review plan 17.1.3 Business continuity strategy 17.2.1
  • 8. Appendix 1: Meeting Threats Through ISO 27001 NQA recommends that you undertake ISO 27001 training and certification because it can help you make the case to your business partners that you’re ready for the modern digital world. To help you make that case to your management — or to vendors you like and wish would adopt the ISO 27001 standard — we’ve prepared a brief explanation of how ISO 27001 can help you address some of the top problems digital industries face. • Risk Management Assurance. Customers demand strong risk management. The only way to prove that you have correct policies in place is to show certification and outside verification. ISO 27001 proves that you take cyber threats seriously and have prepared to address them. Certification is a clear sign that you not only have the policies in place but that you continually update and improve in order to keep your data safe. • Data Breaches. A single breach can bring down a small or mid-sized vendor. Large companies can only survive a handful, if they’re lucky. ISO 27001 audits offer great protection because they limit your vulnerability. Audits highlight potential breaches and can put other risks into focus by using the security risk framework you learn. ISO 27001 will help you prevent breaches, guarding you against customer litigation and even potential regulatory action. • Legal Compliance. We’ve focused our work on data security all around the world. There are many different laws that can be satisfied by ISO 27001 certification, and some like the UK Data Protection Act have proven track records of ISO 27001 acceptance. Implementing the standard will help you stay compliant and using NQA as your partner will ensure that you have the most relevant legal checks when you undergo any audit or review. • Lapses in Attention. At the core of the ISO 27001 standard is a security mindset. The audit process and ISMS development provide a company-wide focus on security and can make every department accountable. By spelling out who is in charge of which function and who must ensure each team member adheres to policies, you have begun to implement a strong cybersecurity protection plan. • Information Management and Access. Control over your data is vital for your business, not just for the ISO 27001 certification process. By implementing a new focus through these audits and reviews, you can determine areas that may create bottlenecks and gaps in the access, management and protection of your data. Strong audits from partners such as NQA also help you determine gaps and issues in areas where your customers access your data. That can improve customer relationships and protect you against excess liability. These are just some of the top conversations you can have with your customers and your management to show how beneficial ISO 27001 certification is. Contact NQA today for help making the case and answers to how this certification can apply specifically to your business. Appendix 2: Glossary • ISO: International Organisation for Standards — one of the two bodies responsible for creating the certification and managing its credential authentication. • ISMS: Information Security Management System — set of company policies that create a process for addressing information security, data protection and more to prevent data loss, harm, theft and errors within a company and its culture, not just its IT systems. • IEC: International Electrotechnical Commission — one of the two bodies responsible for creating the certification and managing its credential authentication. • KPI: Key Performance Indicator — a business metric used to evaluate elements that are key to the success of a program or an organisation as a whole. • Audit: Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. • Availability: Property of being accessible and usable upon demand by an authorised entity. • Competence: Ability to apply knowledge and skills to achieve intended results. • Confidentiality: Property that information is not made available or disclosed to unauthorised individuals, entities, or processes. See 27000 2.61 for help applying this to certifications. • Continual Improvement: Recurring activity to enhance performance. Will require a specific definition in relationship to your individual requirements and processes when asked for in audit documentation. • Control: Measure that is modifying risk. See 27001 2.68 for application assistance. • Correction: Action to eliminate a detected nonconformity during your audit and review processes. When compared to “Corrective Action” view this as treating a symptom and the “Action” as curing a disease. • Corrective Action: Action to eliminate the cause of a nonconformity and to prevent recurrence. This usage specifically notes action you’ll take to remove root causes. • Documented Information: Information that must be controlled and maintained by you and secured by the medium you use to collect it. This can be information in any format, from any source, and will require an audit history when documents request it. • Effectiveness: An estimated and then proven measure of the extent to which planned activities are realised and planned results achieved. • Executive Management: Person or group of people who have delegated responsibility from the governing body for implementation of strategies and policies to accomplish the purpose of the organisation. See 2.29 and 2.57 for help determining your governing body and the scope of this management. Where Should You Get Certified? You need to turn to a trusted partner when it comes to your ISO 27001 certification. Don’t put your company’s future in the hands of someone who doesn’t have a strong reputation for proper audits, valid certifications and the ability to help companies meet their goals. We work with all of our customers to ensure that they have the right processes in place to achieve certification. When any ISMS is found lacking, we’re here to work with you to create and implement strategies to address gaps we detect. You can have experts review your process and proper implementation so you don’t have to worry about creating the right platform and company mindset to achieve your goals. Reduce the risk your company faces and improve your company’s reputation by working with NQA for all of your ISO 27001 preparations and certifications. Contact us today for a free quote using our Quick Quote form.
  • 9. • Information Security: Preservation of confidentiality, integrity and availability of information. Secondary properties may include authenticity verification, accountability, reliability and other elements based on your ISMS. • Indicator: A measure that provides an estimate or evaluation of specified attributes derived from an analytical model (with respect to defined information needs). • Integrity: Property of accuracy and completeness in reviews, audits and more. • Interested Party: Person or organisation that can affect, be affected, or perceive themselves to be affected by a decision or activity undertaken by an ISMS, agent, employee or other party you authorise. • Level of Risk: Magnitude of a risk expressed in terms of the combination of consequences and their likelihood. Further explanation available in 2.14 (consequences), 2.45 (likelihood of risk) and 2.68 (risk magnitude) • Management System: Set of interrelated or interacting elements of an organisation to establish policies, objectives and processes to achieve those objectives. Management systems can address single or multiple disciplines and must include a variety of elements such as roles, responsibilities, planning, operations, organisational structure, and more. • Measurement: Process to determine a value. This may seem vague to some but it is important because it notes that you’re required to determine proper measurements for your ISMS implementation. • Metrics: Elements of your business used to evaluate performance and effectiveness of your ISMS and information security controls. You’ll see this in documentation from auditors, but not in the specifications themselves. • Monitoring: Determining the status of a system, process or activity. Monitoring is about status and then shifts focus when events occur. • Non-conformity: Non-fulfilment of a requirement as defined by the ISMS. • Objective: Strategic, tactical or operational result to be achieved. Objectives can differ greatly and audits will need a strong structure to properly express objectives in order to evaluate them. • Outsource (verb): Make an arrangement where an external organisation performs part of an organisation’s function or process. ISMS must review and specify all outsourcing options. Controls and responsibilities must be extremely clear when outsourcing any element. • Performance: Measureable result that can relate either to quantitative or qualitative findings. • Policy: Intentions and direction of an organisation as formally expressed by its top management. • Process: Set of interrelated or interacting activities which transforms inputs into outputs. • Reliability: Property of consistent intended behaviour and results across audits, methodology and reviews. • Requirement: Need or expectation that is stated, generally implied or obligatory. “Generally implied” is listed when the necessity of custom or practice is implied. • Residual Risk: Risk that remains after a risk treatment. These can contain unidentified risks and may also be listed as “retained risks” in auditor information. • Review: Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. • Risk: The effect of uncertainty on objectives, including real and potential events. See 2.14 through 2.89 for a better understanding of risk, its positive and negative elements, and how it can relate to a variety of situations. • Risk Owner: Person or entity with the accountability and authority to manage a risk and related responses. • Risk Treatment: Process used to modify risk. Methods can include removing sources, changing likelihoods, adjusting consequences, retaining risks by choice, adding new actions and avoiding risks. • Top Management: Person or group of people who directs and controls an organisation at the highest level. www.nqa.com